Neal Kumar Katyal, “Criminal Law in Cyberspace”, University of Pennsylvania Law Review, Vol. 149, No. 4 (Apr., 2001),

pp. 1003-1114. Presented by:

Tasneem Deo

(1533)

INTRODUCTION

A new breed of crime has emerged over the past decade: cyber crime. Eg. ILoveYou worm

Law has not necessarily caught up with these crimes.

Legal approach Existing rules are not suitable for the computer age and

governments should not impose legal order on the internet (Johnson and Post)

Cyber crimes should be regulated the same way as criminal acts. (US Department of Justice)

Author’s view: Neither of the aforementioned is correct and legal regulation should recognize the similarities and differences between cyber crimes and traditional crimes.

I. WHAT IS CYBERCRIME? The term “cybercrime” refers to the use of a

computer to facilitate or carry out a criminal offense. This can occur in different ways: (1) A computer can be electronically attacked.

(i) unauthorized access to computer files and programs (ii) unauthorized disruption of those files and programs (iii) theft of an electronic identity.

(2) A computer is used to facilitate or carry out a traditional offense.

Many believe that cyber crime is in its infancy and the criminals have not reached their potential.

Although enforcement is weak, federal laws against cyber crimes have expanded. The activities that are criminalized include:

The major forms of cybercrime are: unauthorized access to a computer with intent to do some further

bad act, damage to computer-related property (including intangible

property), theft, interruption, denial of computer services, introduction of computer viruses and other bugs, disclosure of passwords or other computer security information. e-mail crimes, typically harassing or unsolicited bulk e-mail, etc.

The major forms of cybercrime are:

A. Unauthorized Access to Computer Programs and Files Unauthorized access occurs whenever an

actor (person or another computer) achieves entry (electronically or physically) into a target's files or programs without permission.

Targets for unauthorized access may be categorized as the government, individuals, or commercial entities.

Such access poses severe risks to: security, privacy, proprietary information and trade secrets.

B. Unauthorized Disruption

It occurs when an entity, without permission, interferes with the functionality of computer software or hardware.

These entities may be:

1. Viruses

A virus is a program that modifies other computer programs so that it can multiply.

It is not inherently harmful, its harmfulness depends upon the codes placed within it apart from the code for self-replication.

2. Worms

It uses a computer network to duplicate itself and does not require human activity for transmission.

3. Logic Bombs and Trojan Horses A logic bomb tells a computer to execute a

set of instructions at a certain time under certain specified conditions, until then, it can lie undetected in software or hardware.

A Trojan horse, by contrast, is a computer program that performs some apparently useful function, but which also contains malicious hidden code.

4. Distributed Denial of Service Distributed Denial of Service (DDOS) attacks

overwhelm web sites and stop them from communicating with other computers.

To carry out a DDOS attack, an individual obtains unauthorized access to a computer systems and places software code on them so as to render one of them as a “Master” and the others as “zombies” or “slaves”. The former send information to the latter who upon receipt of such information make repeated requests to connect with the attack's ultimate target, typically using a fictitious or spoofed IP address.

C. Theft of Identity

Identity theft occurs when one’s identity is wrongfully appropriated by another.

For example, cross-site scripting, page jacking or IP spoofing.

D. Carrying Out a Traditional Offense Computers can be used to carry out virtually

any offense in real space. Some examples of criminal activity in this

category are:

1. Child Pornography

It poses an enlarged problem over cyber space due to low production costs and easy, widespread distribution and the challenges to regulation due its multi-jurisdictional nature.

Cyber technology also fuels the debate with regard to criminalization of child pornography as it alters the manner in which child pornography is produced.

Cyber space partially melts the boundary between public and private enforcement by enabling citizens to become not simply informants, but also private enforcement agents.

2. Copyright

The barriers of analog degradation, high copying costs, and the risk that co-conspirators will be flipped are not present in cyber space.

It is a real threat as software piracy cost the United States some 109,000 jobs and $991 million in tax revenue.

The factors which must be kept in mind when regulating this activity are: Role of profit in criminal enterprise In cyberspace, everyone is a potential big fish, and the

smaller fish-who might, in real space, become cooperators-have disappeared.

3. Cyberstalking

Cyberstalking occurs when someone is threatened or harassed online.

Cyberstalking and realspace stalking are heavily correlated.

The features of cyberstalking include: An anonymous stalker is harder to catch. Because the perpetrator does not see the harm his actions

inflict, the victim's reaction cannot cause a change of heart. The lack of an in-person confrontation also makes intent

harder to presume or ascertain.

4. Illegal Firearms Sales

Cyberspace assists in the commission of this crime as: Anonymity facilitates transactions and frustrates the ability

of law enforcement to recruit informants and cooperators, and invisibility allows evasion of law enforcement.

Gun sellers in cyberspace cannot conduct a trustworthy background check even when legally required to do so.

It facilitates the meeting of illegal buyers and sellers in the first place, despite the fact that they live in different states or even in different countries.

II. TREATING CYBER CRIME DIFFERENTLY The author outlines strategies that may be

used to tackle cyber crimes in light of their unique character.

A. First-Party Strategies

These strategies focus directly on the perpetrator of the crimes.

1. Five Constraints on Crime

The constraints are: (i) law enforcement risks, (ii) social norms, (iii) architectural strategies, (iv) physical risk from the crime, (v) monetary costs (cost deterrence). Eg. taxing dangerous

software, charging small admissions fees to enter sensitive web sites, etc.

Across the broad field of criminal law, the heterogeneity of offender populations plays out in other ways besides attitudes towards risk.

Accurate assessments of optimal deterrence, therefore, should go beyond legal sanctions to incorporate concepts of monetary cost, social norms, physical risks, and architecture.

2. The Efficiency of Cybercrime The advent of personal computers poses a

significant threat to the rule of law and have the potential to reduce all five constraints on crime. That is because:

(i) computers are a powerful substitute for additional people in a criminal enterprise;

(ii) computers permit anonymity and secure communications; and

(iii) cyber criminals are often invisible, remote, and untraceable.

a. Conspiracy’s Demise The computer has obliterated the need for a co-

conspirator as it can conduct many tasks at once, it does not demand a percentage of the earnings and it will not betray he criminal’s confidences.

Recommendation: To this extent the computer must be treated as a quasi-conspirator.

Benefit: Inchoate conduct is targeted as the use of a computer to carry out a crime is punished.

b. Pseudonymity and Encryption Cyberspace facilitates the commission of crimes

by permitting users to masquerade as other individuals or as an unknown entity.

Encryption has the potential to threaten effective investigation and prosecution substantially.

Difficulty: The Dual Use Problem (refuge to criminals and also benefits to legitimate users)

Recommendation: Law should look not to the act itself, but to its context through:

Licensing – license the use of cryptography Disadvantage: transaction costs Advantage: garner information, list of suspects, pledge

not to engage in criminal activity, place immediate suspicion on unlicensed users.

Proven excuse – exclude certain persons from acting in a specific way or impose restrictions on the act itself Disadvantage: negative substitution, over inclusiveness

Standard sentencing enhancement - sentence for a particular crime could increase by a specified percentage if encryption or pseudonymity was used to facilitate the crime. Particulars: Shift the burden of proof; and permit reduction if

encryption is used for legitimate purposes or if the criminal provides information that is useful

Advantage: corrects the "discount" offered by this new technology, selectively targets specific negative uses of encryption, thus permitting legitimate uses of encryption to continue, it slides with the underlying offense thus recognizing variance in harms, better suited to rapidly changing technology

Disadvantage: detection is still difficult, drain on judicial resources. Alternative: Cost deterrence through taxing encryption and allowing

rebates to those who did not use it for illegal activities; civil forfeiture laws

c. Tracing and Escape As there is no need for physical presence in order to commit cyber

crimes, online tracing faces some major problems: (i) pseudonymity, (ii) weaving through various computer networks, (iii) packet-related problems, (iv) implementing a tracing order is difficult due to the presence of several

entities across countries, (v) public reaction (fears over privacy), (vi) computers make it easier for criminals to disrupt law enforcement by

spying on informants and sabotaging networks, (vii) sophistication and expertise can be given fully to others who lack it,

Recommendation: high penalties to compensate for the low probability of enforcement and also innocent software programmers who write material that facilitates crime need to be regulated.

B. Second-Party Strategies of Victim Precaution These strategies focus on the victim.

1. Optimal Victim Behavior

Need: The government is unable to police cyberspace the same way as they can police realspace and there is a strong interlinkage of victims.

Advantage: For some types of cybercrime, reliance on victim precaution is optimal because the cost of government identification, investigation, and prosecution of the crime is too great.

Recommendation: Government to give priority to prosecuting those cases in

which the victim took adequate precautions to provide some incentive for potential victims to take these precautions.

To maximize efficiency, government could use a formula that compares the cost of preventing the crime against the potential monetary loss that an intrusion could generate.

2. The Limits of Victim Precaution A strong presence by law enforcement in cyberspace is

necessary because victim precaution is something to be feared, not welcomed, in many instances. As: it could fragment cyber space into a series of trusted networks for

privileged users thus stymieing the development of the internet and denying the technological and other advantages technology can provide.

Instead of denying access altogether, web sites will build strong firewalls to prevent access to certain areas of their sites resulting in the costs of hardware and software purchases, programmer time, hardware maintenance and software upgrades, administrative setup and training, inconveniences and lost business opportunities resulting from a broken gateway or denial of services, and an inevitable loss in connectivity.

The government must encourage the growth of networks by preventing crime to stop the electronic balkanization.

3. The Emergence of a Special Form of Crime: Targeting Networks

Certain crimes target the human network and are, in ways, worse than other crimes because they harm the community.

Crimes that undermine interconnectivity should be singled out for special disfavor, in realspace as well as cyberspace. Eg. Worms (which clog network connections).

Crimes that target the network, therefore, should be treated differently because they impose a special harm. This harm is not victim-centered, but community-centered, and explains why victims alone should not be able to make decisions about whom to prosecute.

4. New De Minimis Crime

De Minimus Doctrine: the triviality of an offense influences the probability of reporting and therefore enforcement.

In cyberspace, however, crimes are likely to be skewed and apportioned among many instead of few and hence victims are unlikely to notice and report these types of thefts. Eg. Salami attacks

The government should develop a policy that does not rely heavily on the victim.

Recommendation: Law will need to depend more on institutions that maintain accounts of potential victims, such as banks.

5. Supersleuth Victims and Electronic Vigilantism Rather than being passive, the victims of cyber crimes

become supersleuths, using their computer power to detect, report, and sometimes even punish cyber criminals. Eg. eBay in light of the DDOS attacks.

Unlike in realspace, in cyberspace, it is easier for victims to organize, even as an attack is happening.

Difficulty: If the law places high liability on these parties, the asymmetric incentive problem predicts that they will react by denying entry to questionable users. These actions have severe costs: individuals may be unfairly dismissed, their electronic identities ruined, data may be lost, and interconnectivity may suffer.

C. Third-Party Strategies of Scanning, Coding, andNorm Enforcement Unlike crimes in realspace, electronic crimes

often involve the assistance of innocent third parties who may be used to prevent such crimes. Eg. ISP.

Even when third parties are not present, they may be in a position to prevent cyber crimes from happening. Eg. programmers and hardware manufacturers.

1. Internet Service Providers

Need for regulation: ISPs provide cross-jurisdictional easy access and cyber criminals can coordinate simultaneous attacks and overwhelm traditional law enforcement

Role ISPs can play: Monitor conduct – creating cyber profiles Bounce risky subscribers by purging them from the network Act as whistleblowers and report the instances of computer crime Build software and hardware constraints into their systems Make it easier for law enforcement to investigate crimes. Eg.

Preserve data trails for long periods Disadvantages: costly, slow down systems, erode privacy Recommendation: The government may subsidize the

development of a common set of standards partially devised by industry. The failure to adhere to these standards could give rise to civil liability.

2. Credit Card Companies

Need for regulation: Credit cards are the predominant method of payment for illegal services offered over the internet.

Recommendation: Encourage credit card companies to refuse credit services to illegal businesses by giving credit cardholders the right to refuse to pay for items on their bill that are illegal.

3. Software and Hardware Manufacturers Recommendation: The government can induce software and

hardware manufacturers to employ architectural strategies that further deter cybercrime. For example: hardware routers be modified to detect and eliminate suspicious

traffic. Mandate software manufacturers to remove trap doors or to

provide accurate information about their existence. regulate the net more directly by encouraging or requiring the

installation of more secure code, such as Internet Protocol Version Six

Difficulties: government often lacks data about necessary security protocols and is even more unfamiliar with their costs; and the tension between security, operability and transparency.

4. Public Enforcement of Social Norms In realspace, norm-based strategies are

promising because crime is almost always visible. The architecture of cyberspace, however, alters these parameters.

a. The Influence of Social Norms Difficulty: The lack of physical presence and concrete identity

hamper the efficacy of regulation through social norms in cyberspace; and the ethic of cyberspace, which encourages role-playing and alternative characters, facilitates the erasure of norms.

Response: Because crimes committed in cyberspace still require a user to be in realspace, morality and conscience act as constraints in the invisible world of cyberspace.

Recommendation: Law makers should capitalize on this by focusing on mechanisms such as: Strategies to teach children about the evils of cyber crime Placing computers in visible locations Facial displays between users

b. Broken Windows in Cyberspace Broken Windows doctrine: As crimes become

more common, the norms that constrain crime erode, and more crimes take place as a result of that erosion. (Wilson and George)

Recommendation: identify and prioritize types of computer crimes which produce complementarity. Eg. Punishing severely even minor pranks that achieve high visibility.

CONCLUSION

As criminals become more sophisticated about such attacks, the incidence of these crimes will rise and criminals' escapes will multiply. Law must counter this trend by embracing new strategies that harness the legal and non-legal constraints on crime.

The strategies are calculated to help set up incentives that make crime too expensive to carry out, preserve the benefits of the net, and provide computer users with the assurance that the net is at least as safe as realspace. Yet the strategies do run risks, from trenching on privacy and freedom of speech to poisoning the free flow of ideas.

The government currently relies on the speculative risk of imprisonment to deter wrongdoing, but a strategy focused on raising perpetuation costs associated with the wrongdoing itself may be more effective as by manipulating variables besides legal sanctions, crime may be prevented even when criminals are not that responsive to legal sanctions.